meta directory backend and rewriting option '|'

[Lehnert, Hartmut]

Hello!
I have a question concerning the pipe option '|' when using the meta
directory backend and rewriting. In the manual pages the '|' option is
marked as not implemented. Does this reflect the actual state of the
software or has somebody just forgotten to update the man page?

Regards,

Hartmut

openldap memberof attribute

[Vincent Li]

Hi,

I am doing remote authentication using OpenLDAP to login BIGIP, BIGIP
has a feature called remoterole to search attribute 'memberof' from
LDAP server and once found the attribute, assign the remote user a
role defined in various groups like admin, operator... the feature
works for Active Directory, but I am unable to make it work for
OpenLDAP, I couldn't find 'memberof' attribute in OpenLDAP schema, so
I created the 'memberof' attribute in core.schema as below:

[root@centos-vli schema]# diff -u core.schema core.schema.orig
--- core.schema 2011-01-24 23:54:42.0 -0800
+++ core.schema.orig2011-01-24 23:46:11.0 -0800
@@ -345,10 +345,6 @@
DESC 'X.520(4th): pseudonym for the object'
SUP name )

-attributetype ( 2.5.4.66 NAME 'memberof'
-DESC 'RFC2256: member of a group'
-SUP distinguishedName )
-
 # Standard object classes from RFC2256

 # system schema
@@ -425,7 +421,7 @@
 objectclass ( 2.5.6.9 NAME 'groupOfNames'
DESC 'RFC2256: a group of names (DNs)'
SUP top STRUCTURAL
-   MUST ( member $ memberof $ cn )
+   MUST ( member $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )

 objectclass ( 2.5.6.10 NAME 'residentialPerson'

and here is my sample ldif file:

dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch

# create the itpeople entry under groups

dn: cn=administrator,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: administrator
description: bigip admin group
member: uid=user5,ou=people,dc=example,dc=com

dn: uid=user5,ou=People,dc=example,dc=com
uid: user5
cn: user5
objectClass: top
objectClass: posixaccount
objectClass: shadowaccount
objectClass: groupOfNames
userPassword: secret
shadowLastChange: 14997
shadowMin: 0
shadowMax: 9
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 505
gidNumber: 505
homeDirectory: /home/user5
member: cn=administrator,ou=groups,dc=example,dc=com
memberof: cn=administrator,ou=groups,dc=example,dc=com

I can login BIGIP fine with user5, but I can't get the administrator
role defined in BIGIP,  is it something I configured wrong in OpenLDAP
or the problem is on BIGIP

Thanks

Vincent

deleting schema elements from cn=config

[Tim Gustafson]

Hi,

I'm trying to understand how to delete a schema element.  I'm running slapd 
2.4.23 on FreeBSD 8.1.  When I try to run ldapdelete:

ldapdelete -H ldap://localhost -D uid=tjg,cn=config -W -x 
'cn={7}java,cn=schema,cn=config'

I get the following in the log file:

--
daemon: read activity on 18
daemon: select: listen=6 active_threads=0 tvp=zero
connection_get(18)
connection_get(18): got connid=1068
connection_read(18): checking for input on id=1068
op tag 0x4a, time 1296090324
conn=1068 op=1 do_delete
 dnPrettyNormal: cn={7}java,cn=schema,cn=config
daemon: activity on 1 descriptor
 dnPrettyNormal: cn={7}java,cn=schema,cn=config, 
cn={7}java,cn=schema,cn=config
conn=1068 op=1 DEL dn=cn={7}java,cn=schema,cn=config
send_ldap_result: conn=1068 op=1 p=3
send_ldap_result: err=53 matched= text=
send_ldap_response: msgid=2 tag=107 err=53
daemon: waked
daemon: select: listen=6 active_threads=0 tvp=zero
conn=1068 op=1 RESULT tag=107 err=53 text=
daemon: activity on 1 descriptor
daemon: activity on:
 18r
--

cn={7}java,cn=schema,cn=config is empty; I've already deleted all the 
objectClass and attribute definitions from it, but now it seems I can't delete 
the schema entry itself.  What am I doing wrong?

Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
t...@soe.ucsc.edu
831-459-5354

Re: openldap memberof attribute

[Michael Ströder]

Vincent Li wrote:
 I couldn't find 'memberof' attribute in OpenLDAP schema, so
 I created the 'memberof' attribute in core.schema as below:

The overlay memberof is what you're looking for.

man 5 slapo-memberof

Ciao, Michael.

MemberOf attribute not being returned

[Mark Cairney]

Hi,

I'm sure this was working in the past on this server but Im now not getting 
anything returned when I request the memberOf attribute.

I compiled OpenLDAP 2.4.23 with the following flags:

./configure --prefix=/usr/local/authz --enable-meta --enable-ldap --enable-bdb 
--enable-monitor --enable-syncprov --enable-translucent --enable-memberof 
--enable-dyngroup --enable-dynlist --with-threads --with-tls --with-cyrus-sasl 
--enable-syslog --enable-spasswd cd  make depend make make test make install

I'm using slapd.d and I have the following in 
/usr/local/authz/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb

olcOverlay={0}dynlist.ldif
olcOverlay={1}memberof.ldif
olcOverlay={2}syncprov.ldif

The contents of olcOverlay\=\{1\}memberof.ldif are:

dn: olcOverlay={1}memberof
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcMemberOfDangling: ignore
olcMemberOfRefInt: FALSE
olcMemberOfGroupOC: posixGroup
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
structuralObjectClass: olcMemberOf
entryUUID: 4d5a3aa8-fbac-45c9-b259-941d13e02724
creatorsName: cn=config
createTimestamp: 20100318151149Z
entryCSN: 20100318151149.488341Z#00#003#00
modifiersName: cn=config
modifyTimestamp: 20100318151149Z
olcOverlay: {1}memberof


The log is attached.

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.



openldap.log
Description: Binary data


Any ideas? The only thing I've changed recently is the ACLs

Kind regards,

Mark

/* 
Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: mark.cair...@ed.ac.uk

*/

RE: MemberOf attribute not being returned

[Mark Cairney]

Nevermind, I think I know what's happening. My user account was updated  on our 
current live server running OpenLDAP 2.3 which doesn't have the MemberOf 
overlay.

When this change was applied using syncrepl the memberOf field must have been 
removed.

I'll take the old server out of the syncrepl  but in the meantime is there any 
way to ensure this field is preserved when provisioning accounts in LDAP?

Kind regards,

Mark

/* 
Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: mark.cair...@ed.ac.uk

*/


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Re: MemberOf attribute not being returned

[Howard Chu]

Mark Cairney wrote:

Hi,

I'm sure this was working in the past on this server but Im now not getting 
anything returned when I request the memberOf attribute.

I compiled OpenLDAP 2.4.23 with the following flags:

./configure --prefix=/usr/local/authz --enable-meta --enable-ldap --enable-bdb 
--enable-monitor --enable-syncprov --enable-translucent --enable-memberof 
--enable-dyngroup --enable-dynlist --with-threads --with-tls --with-cyrus-sasl 
--enable-syslog --enable-spasswd cd  make depend make make test make install

I'm using slapd.d and I have the following in 
/usr/local/authz/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb

olcOverlay={0}dynlist.ldif
olcOverlay={1}memberof.ldif
olcOverlay={2}syncprov.ldif

The contents of olcOverlay\=\{1\}memberof.ldif are:


You should not be poking or peeking at the files inside slapd.d. You should be 
using slapcat -n0 or ldapsearch -b cn=config to show the contents of the 
config database. As with other slapd databases, its structure and format are 
subject to change without notice at any time. The only thing guaranteed to 
remain compatible is the LDAP interfaces to the database.


--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: MemberOf attribute not being returned

[Mark Cairney]

Warning duly noted. Lessing the files in question seemed like the best way of 
providing a concise description of what configuration I had and where in the 
config it lay.
As it stands I answered my question anyway.

Kind regards,

Mark

On 27 Jan 2011, at 12:16, Howard Chu wrote:

 Mark Cairney wrote:
 Hi,
 
 I'm sure this was working in the past on this server but Im now not getting 
 anything returned when I request the memberOf attribute.
 
 I compiled OpenLDAP 2.4.23 with the following flags:
 
 ./configure --prefix=/usr/local/authz --enable-meta --enable-ldap 
 --enable-bdb --enable-monitor --enable-syncprov --enable-translucent 
 --enable-memberof --enable-dyngroup --enable-dynlist --with-threads 
 --with-tls --with-cyrus-sasl --enable-syslog --enable-spasswd cd  make 
 depend make make test make install
 
 I'm using slapd.d and I have the following in 
 /usr/local/authz/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb
 
 olcOverlay={0}dynlist.ldif
 olcOverlay={1}memberof.ldif
 olcOverlay={2}syncprov.ldif
 
 The contents of olcOverlay\=\{1\}memberof.ldif are:
 
 You should not be poking or peeking at the files inside slapd.d. You should 
 be using slapcat -n0 or ldapsearch -b cn=config to show the contents of 
 the config database. As with other slapd databases, its structure and format 
 are subject to change without notice at any time. The only thing guaranteed 
 to remain compatible is the LDAP interfaces to the database.
 
 -- 
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
 

/* 
Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: mark.cair...@ed.ac.uk

*/


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

slapo-cache and searches by dynlist (with !)

[Angel L. Mateo]

Hello,

	I'm trying to use pcache overlay to cache queries done by dynlist 
overlay. This is the configuration I have:


database hdb
suffix userSuffix
...
overylay dynlist
dynlist-attrset labeledURIObject labeledURI

# This is because, data obtained by dynlist is in another ldap directory
database ldap
suffix dc=mydomain,dc=com
access ...
uri ldap:/anotherldap ...
overlay pcache
pcache  hdb 1000 1 10 60
pcacheAttrset 0 irisClassifCode sn1 givenName
pcacheMaxQueries1
pcacheTemplate  ((objectClass=)(irisPersonalUniqueId=)) 0 3600
directory   /var/lib/ldap/cachepublica
cachesize   100

The pcacheTemplate is because labeledURI attributes are in the form:

labeledURI: ldap:///dc=mydomain,dc=com?irisClassifCode,sn1,givenName?one?
 (irisPersonalUniqueID=someCode)

The final search done in the final ldap directory is:

filter=((!(objectClass=labeledURIObject))(irisPersonalUniqueID=someCode))

	so I think I need to negate the search in the pcacheTemplate, but I 
can't because I get the error:


/etc/ldap/slapd.conf: line 419: unable to parse template: 
AttributeDescription contains inappropriate characters.


whenever I try to put the '!' in the template.

Is there any way to cache this kind of query?

--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información   _o)
y las Comunicaciones Aplicadas (ATICA)  / \\
http://www.um.es/atica_(___V
Tfo: 868887590
Fax: 86337